Methods apparatus and program products for wireless access points

ABSTRACT

Methods, apparatus and program products which monitor wireless access points ( 12,16 ) through which data can be exchanged with a network ( 10 ), identify an unauthorized access point ( 16 ), and respond to monitored data flow in a variety of manners including determining the location of the identified unauthorized access point, establishing filtering, and controlling accounting for access services.

BACKGROUND OF THE INVENTION

The description which follows presupposes knowledge of network datacommunications and switches and routers as used in such communicationsnetworks. In particular, the description presupposes familiarity withthe ISO model of network architecture which divides network operationinto layers. A typical architecture based upon the ISO model extendsfrom Layer 1 (also sometimes identified as “L1”) being the physicalpathway or media through which signals are passed upwards through Layers2, 3, 4 and so forth to Layer 7, the last mentioned being the layer ofapplications programming running on a computer system linked to thenetwork. In this document, mention of L1, L2 and so forth is intended torefer to the corresponding layer of a network architecture. Thedisclosure also presupposes a fundamental understanding of bit stringsknown as packets and frames in such network communication.

The 802.11 standard is a family of specifications created by theInstitute of Electrical and Electronics Engineers Inc. for wirelesslocal area networks in the 2.4-gigahertz bandwidth space. 802.11 can bethought of as a way to connect computers and other electronic devices toeach other and to the Internet at very high speed without any cumbersomewiring—basically, a faster version of how a cordless phone links to itsbase station. With 802.11, electronic devices can talk to each otherover distances of about 300 feet at 11 megabits a second, which isfaster than some wired networks in corporate offices.

Devices using 802.11—increasingly known as Wi-Fi—are relativelyinexpensive. A network access point can be bought for about $500 andwill coordinate the communication of all 802.11 equipped devices withinrange and provide a link to the Internet and/or any intranet to whichthe access point is linked. The cards that let a laptop computer orother device “plug” into the network cost $100 to $200. Some personalcommunication devices come enabled for 802.11 communications without theneed of an additional card. Wireless 802.11 cards and access points areflying off the shelves of computer suppliers. People want and find easyconnectivity with 802.11-standard products. Such networks are also knownby more formal names as ad-hoc wireless networks and, in some instances,as mobile ad-hoc networks or MANETs.

Providing so much wireless speed at a modest price is having profoundimplications for a world bent on anytime/anywhere communication. Wi-Fiis spreading rapidly. College students are setting up networks in theirdorms and cafeterias. Folks in some parts of San Francisco are building802.11 networks to cover their neighborhoods. Starbucks Corp., UnitedAirlines Inc., and Holiday Inn, among others, are installing 802.11networks in their shops, airport lounges, and hotels, in a nod towardtheir customers' desire to stay connected. It has been reported that, in2000, the number of people using wireless local area networks rose by150 percent, according to Synergy Research Group. Cahners In-Stat Group,a Scottsdale, Ariz.-based market research firm, sees the number ofwireless data users in business growing from 6.6 million today to morethan 39 million by 2006. Feeding this trend is the fact that almost aquarter of all workers in small or medium-sized business are mobileworkers, spending at least 20 percent of their time away from theoffice. Wireless e-mail is their prime need, which is why mobilecomputing products with always-on e-mail capability continue to sell sowell. In early 2002, it was estimated that between 25,000 and 50,000people install and manage 802.11 networks every day.

The wireless trend will inevitably spill over into the home networkingmarket. A major reason is price: The cost of access points, equipmentthat connects to the wireless network; and network interface cards, orNICs, that make the link between the PC and the access point, isdropping. Those low prices catch the eye of shoppers, which is why thehome market grew 20 percent in the last quarter of 2001.

Successor technologies to 802.11 are on the horizon. One is ultra-wideband radio technology or UWB, which uses a wide spectrum technology atlow power to transfer data at a very high speed. UWB will be perhaps tentimes faster than 802.11, yet suffer from some of the same exposuresdescribed here. Another is the inclusion of radio frequency functiondirectly on chips which perform other functions such as system centralprocessors and network processors.

And there's the problem, and a real dilemma it presents. Once again,information technology administrators and users are caught between easeof use and requirements for security. There are two major problems withwireless today and which can be anticipated as remaining into thefuture. One is that all too often it is implemented without any kind ofsecurity at all. The other is that the out-of-the-box security options,if the consumer switches them on, are completely ineffectual. Accordingto Gartner Dataquest, about thirty percent of all companies with acomputer network have some kind of wireless network, either official orrogue. Furthermore, if the business or cafe next door has a wirelessnetwork, the business might be in trouble.

Wireless is so wide open, in fact, that it has given birth to a newtechnologist Olympic sport: war driving. The game is all about seeinghow many potential targets can be found. All that is needed to play is alaptop, a wireless PC card, and some software. War driving has beenwidely discussed in the technical press and on technology web sites, anddoes occur on a regular basis. The new hobby for bored teenagers andtechnogeeks is to drive around with an antenna and GPS strapped to alaptop hunting for wireless access points. While most are notmaliciously attacking networks and are carefully preventing themselvesfrom accessing the network and any of the files contained therein, noteveryone is so polite.

One of the more popular tools used in war driving, NetStumbler, tellsyou the access point name, whether encryption is enabled, and numerousother bits of information. NetStumbler is also a great tool foradministrators trying to identify rogue, unauthorized, access pointswhich have been connected in their organizations. One user picked uptwenty access points during a quick drive down Highway 101 in SiliconValley. Another user, cruising the financial district in London andusing an antenna made from an empty Pringles brand potato chip can foundalmost sixty access points in thirty minutes. Kismet is a wirelessnetwork sniffer for Linux that includes many of the same capabilities asNetStumbler. AirSnort is a Linux-based tool that tries to recoverencryption keys. These and many more tools are freely available on theInternet.

Although organizations still must be vigilant about securing their mainInternet gateway, the corporate perimeter is expanding wirelessly. Howmany users access the internal network via a VPN or other means ofremote access? How many of those users have wireless networks at home?Are they secure? If not, your internal network is vulnerable, regardlessof how secure your main Internet gateway is. Until 802.11 and UWB aremade and proven secure, smart network managers will keep worrying.Particularly where employees lacking authorization to do so go to theirfriendly computer supply store, buy a wireless access point, bring it totheir place of employment, and power it up connected to their employer'sintranet.

It is important to note that access nodes or points today generallyfunction at Layer 2 and have no knowledge of Layer 3 addressing, whilethe edge router which they are connected to has full knowledge of Layer3 addressing. As technology has advanced more and more function has beenincorporated into the access points. For example, originally these weresimplistic “wiring concentrators” such as the IBM 8228 which was acompletely unpowered product. Today these access points typically areLayer 2 switches with full knowledge of the Layer 2, or Medium AccessControl (MAC), addresses of the devices that are connected to them, bethey wireless or wired.

In the future these access points, with the advent of low cost NetworkProcessors (as separately described in the literature), will becomefully Layer 3 aware, particularly in respect to knowing the IP addressof end stations connected to them. Of course today, an edge routeralready has this knowledge of IP addresses of end devices connecteddirectly to it. Today all edge nodes and some access nodes have thecapability to be, via the network, connected to a Network Managementconsole using a messaging protocol known as Simple Network ManagementProtocol (SNMP). In the future all access nodes will have thiscapability.

SUMMARY OF THE INVENTION

The present invention has as a purpose enabling a network administratoror manager to identify the presence of a rogue, or unauthorized, accesspoint, thereby assisting in enhanced security for networks. A furtherpurpose is to enable determination of the geographic location of anunauthorized access point. The present invention also has as a purposeenabling a network administrator or manager to control the activity of arogue, or unauthorized, access point. The present invention also has asa purpose enabling a network administrator or manager to automate thecontrol of a rogue, or unauthorized, access point, thereby assisting inenhanced manageability for networks. The present invention also has as apurpose enabling a network administrator or manager to control theaccounting or billing for activity exchanged with a network through arogue, or unauthorized, access point, thereby assisting in enhancedfinancial security for networks.

These purposes are pursued by methods, apparatus and program productswhich monitor access points through which data can be exchanged with anetwork, identify an unauthorized access point, and control certainactivity through the access point.

BRIEF DESCRIPTION OF THE DRAWINGS

Some of the purposes of the invention having been stated, others willappear as the description proceeds, when taken in connection with theaccompanying drawings, in which:

FIG. 1 is a schematic representation of a network installed within afacility, including workstation computer systems and a server computersystem, and to which an unauthorized access point has been attached;

FIGS. 2, 3, 5 and 6 are simplified flow charts showing steps performedin the network of FIG. 1;

FIG. 4 is a schematic representation of a wireless access point such asmay be functional in the network shown in FIG. 1 and which incorporatesa network processor; and

FIG. 7 is a view of a computer readable medium bearing a programeffective when executing on an appropriate one of the systems of FIG. 1to implement the steps of FIGS. 2, 3, 5 and 6.

DESCRIPTION OF THE PREFERRED EMBODIMENT(S)

While the present invention will be described more fully hereinafterwith reference to the accompanying drawings, in which a preferredembodiment of the present invention is shown, it is to be understood atthe outset of the description which follows that persons of skill in theappropriate arts may modify the invention here described while stillachieving the favorable results of the invention. Accordingly, thedescription which follows is to be understood as being a broad, teachingdisclosure directed to persons of skill in the appropriate arts, and notas limiting upon the present invention.

As briefly mentioned above, a problem with the proliferation of the802.11 standard is that it is easily possible for a person to set up awireless access point to a network, without the information technology(IT) organization responsible for managing the network knowing about it.This is a problem because such access points may be (and usually are)misconfigured, thus granting to the world access to the network and dataresiding therein.

When such access points are put up, it may be difficult to determine byquerying the network that they are there or how they are configured.This can vary depending upon the specific type of access point deployedand the network sophistication, as discussed more fully hereinafter.Current solutions for simple access points are to use Net Stumbler (orsimilar software) on a mobile computing device such as a notebook orpersonal digital assistant (PDA), use signal strength measurements todetermine when the user is getting closer to or further away from anaccess point, and make manual reference to an index to determine if theaccess point is an unauthorized “rogue”. This requires a person toperiodically sweep through a facility to find any unauthorized accesspoint.

This invention provides several ways to locate unauthorized accesspoints quickly, without the necessity of having a wandering user.

Referring now more particularly to the Figures, FIG. 1 illustrates anetwork 10 having a server computer system 11, a plurality of authorizedaccess points 12 which may be either wireless or wired, and a pluralityof workstation computer systems 14. Each workstation computer system 14is coupled to the network, either through a wireless connection orpossibly through a wired connection or both. Depending upon the size andscope of a facility, managed networks may have a mix of types of systemsand types of connections. The workstations may be notebook computersystems, personal digital assistant systems, advanced functiontelephones, desktop or minitower systems, or other devices capable ofaccessing the network 10 through the access points.

Access to the network 10 may come through an authorized wireless accesspoint 15 and, in the illustrated network, through an unauthorized orrogue wireless access point 16. The rogue access point 16 may have beenestablished by an individual or group acting without the knowledge orpermission of the information technology management. In accordance withsome purposes of this invention, the detection and location of the rogueaccess point 16 is a goal to be accomplished.

In accordance with the present invention, at least one, if not aplurality or even all, of the workstations 14 is equipped with afacility for wireless or radio frequency connection to the network 10.This or these workstations also have monitoring software installed, suchas Net Stumbler, which is capable of detecting and gathering informationabout all wireless access points with which the system can communicate.In addition, and in accordance with this invention, the system(s) alsohas/have reporting software installed which is capable of passing theinformation gathered by the monitoring program back into the network 10and to the server computer system 11. FIG. 2 represents schematicallythe functions of the software installed on a workstation 14 inaccordance with the aspects of the present invention here underdiscussion.

Where it is desired that a minimal number of monitoring and reportingsystems are used, the number may be reduced to what is knownmathematically as a dense set. That is, a set of systems close enough toall points where a rogue access point might be located that at least onesystem will detect the rogue. For a small building or area, a singlesystem may provide the dense set. For larger areas, a plurality ofsystems as shown in FIG. 1 are more desirable.

The present invention contemplates that the information gathered aboutaccess points detected by a workstation will include information aboutsignal strength. The present invention also contemplates that themonitoring software may be executed periodically as distinguished fromcontinuously. Thus, the software might be executed once an hour or oncea day during normal business hours so as to avoid imposing an excessiveburden on other uses of the workstations. Executing the monitoringsoftware may require temporarily setting the network interface card(NIC) or wireless interface into a different mode to gather information,then resetting the interface so that normal operation continues. Thiscan be done quickly enough so as to be outside the awareness of most ifnot all users. Monitoring may also include an initial check of theactivity of the access points sensed, in order that signal strengthmeasurements can be appropriately calibrated.

Using a single workstation to monitor will provide two data points:whether there is a rogue access point and the signal strength of therogue access point. Discussion will follow later in this description ofthe potential advantages of using multiple monitoring stations.

As monitoring occurs and information is gathered, the information isreported through the network to the server 11. The informationtransmitted may be encrypted or otherwise sheltered againstinappropriate access. The server system has software installed whichreceives the reported information, maintains a list of authorized accesspoints, and compares the reported information to the list. The serversystem thereby identifies any rogue or unauthorized access point, suchas the point 16 in FIG. 1, which has come within communications reach ofone of the monitoring workstations. The server system also storesinformation about the reported signal strength.

The responsible IT organization will know the location of eachworkstation 14 or be able to determine that location (should beworkstation be mobile) by analysis of the signal strengths of thereported access points such as the points 15 and 16 in FIG. 1. From thisinformation, and the reported signal strengths of the detection of arogue access point, the location of a rogue access point can bedetermined. FIG. 3 represents schematically the functions of thesoftware installed on the server system 11 in accordance with certainaspects of this invention.

The present invention contemplates that the operations described may beenhanced by such activities as providing wireless access pointsdistributed through an area to be monitored and which are specificallynot connected to the network. Such dummy access points will provideadditional information about relative signal strengths and may assist inlocating points which have been positioned somewhat remotely fromauthorized access points. Additionally, monitoring stations which areinactive as workstations may likewise be distributed through an area tobe monitored specifically for the purpose of monitoring areas which maybe somewhat remote from the usual distribution of fixed or mobileworkstations. Information may be selectively gathered about monitoringstations as well as access points, providing additional data points foranalysis. Such information about other clients may be monitored andreported, and the server system may use such information to locate—ornot locate—monitoring systems as well as rogue and authorized accesspoints.

With the workstations and server system cooperating, the presentinvention implements a method in which monitoring access points throughwhich data can be exchanged with a network occurs, an unauthorizedaccess point is identified, and the location of the identifiedunauthorized access point is determined. This follows from equippingeach of a plurality of computer devices to detect access pointsaccessible to the device and to report to a server computer system theidentity of detected access points. Monitoring comprises intermittentlyand periodically determining the availability of access points, whichcan be intermittently and periodically determining the availability ofaccess points by monitoring at predetermined regular intervals or atrandom irregular intervals. Identification an unauthorized access pointis done by comparing the identity of monitored access points with adatabase of authorized access points. Determining the location of anidentified unauthorized access point is done by comparing the locationsof a plurality of computer devices all of which report detection of theidentified unauthorized access point.

To this point in the present discussion, information concerning anaccess point is obtained essentially passively. Such passive acquisitionof information may present difficulty where it is desired to reconfigurean access point as described hereinafter. While information obtainedpassively may include the MAC address, signal strength and at least someconfiguration data for an access point, it will not include the IPaddress which may be necessary to establish control over the accesspoint.

The present invention contemplates a sequence of steps by which anaccess point identified as a rogue access point may be furtheridentified. A “listening” client continues to monitor traffic throughthe access point, monitoring the packet stream to determine either an IPaddress of a client connecting to the access point or watching a DHCPoccur. Information thus gathered is supplied to the server, providingsufficient information for the server to make a determination of whetherthe access point is in fact within an enterprise intranet. If the accesspoint is within the enterprise intranet, then the server sends a messageto a connected client directing the client to use active means todetermine the IP address of the access point. This is done by aninterogation technique, where a special ICMP packet is sent to theaccess point directed to the MAC address but broadcast to the subnet.The access point will reply with its IP address, which is then sent tothe server.

Software appropriate to the functions described here may be distributedto users using computer readable media such as the disk shown in FIG. 7,which may bear software which, when executing on either a workstationsystem or a server system, causes the system to perform the sequencesshown in FIGS. 2 and 3, as appropriate to the type of system onto whichthe software is installed.

An exemplary access point in accordance with other aspects of thisinvention is illustrated in FIG. 4, where the access point is generallyindicated at 20. The access point 20 is a node in the network 10,connected to certain other elements through a wired connection orinterface 21 and possibly to others through wireless connections orinterfaces 22. The access point 20 has a connectivity table 24 storedtherewithin. The table may be stored in a network processor interposedbetween the two levels of interfaces 21, 22.

Industry consultants have defined a network processor (herein alsomentioned as an “NP”) as a programmable communications integratedcircuit capable of performing one or more of the following functions:

-   -   Packet classification—identifying a packet based on known        characteristics, such as address or protocol;    -   Packet modification—modifying the packet to comply with IP, ATM,        or other protocols (for example, updating the time-to-live field        in the header for IP);    -   Queue/policy management—reflecting the design strategy for        packet queuing, de-queuing, and scheduling of packets for        specific applications; and    -   Packet forwarding—transmission and receipt of data over a switch        fabric and forwarding or routing the packet to the appropriate        address.

Although this definition is an accurate description of the basicfeatures of early NPs, the full potential capabilities and benefits ofNPs are yet to be realized. Network processors can increase bandwidthand solve latency problems in a broad range of applications by allowingnetworking tasks previously handled in software to be executed inhardware. In addition, NPs can provide speed improvements througharchitectures, such as parallel distributed processing and pipelineprocessing designs. These capabilities can enable efficient searchengines, increase throughput, and provide rapid execution of complextasks.

Network processors are expected to become the fundamental networkbuilding block for networks in the same fashion that CPUs are for PCs.Typical capabilities offered by an NP are real-time processing,security, store and forward, switch fabric connectivity, and IP packethandling and learning capabilities. NPs target ISO layer two throughfive and are designed to optimize network-specific tasks.

The processor-model NP incorporates multiple general purpose processorsand specialized logic. Suppliers are turning to this design to providescalable, flexible solutions that can accommodate change in a timely andcost-effective fashion. A processor-model NP allows distributedprocessing at lower levels of integration, providing higher throughput,flexibility and control. Programmability can enable easy migration tonew protocols and technologies, without requiring new ASIC designs. Withprocessor-model NPs, network equipment vendors benefit from reducednon-refundable engineering costs and improved time-to-market.

In accordance with conventional network operation, nodes in the network10 maintain connectivity tables containing addresses of others nodeswith which communication can be established. Depending upon thecharacteristics of the node in which such a table is maintained, thetable may be known as a routing or trusted neighbor table. Such tablesare periodically refreshed based on broadcast advertisements of detectedconnectivity. The present invention takes advantage of such routing ortrusted neighbor tables and the ability of an intelligent node toperform processing as described above.

With this as background, the aspects of the present invention here underdiscussion contemplate that, on a periodic or random basis, a centralsite network management console can interrogate, using SNMP or moresophisticated techniques, the wireless access or wireless edge nodes.The goal in this interrogation is to determine the latest addition tothe Layer 3 routing tables and to monitor the latest entries and theirtraffic flow for abnormal activities such as denial of server access.Alternatively, if interrogation is of a Layer 2 device, then the“trusted neighbor table” would be interrogated for the most recententries and traffic monitored as above.

If immediate action is desired, then through SNMP and other techniques,either Layer 2 or Layer 3 filter tables (as appropriate) can immediatelybe set to deny assess to the network. If it is desired to attempt toapprehend the intruder, the location of the rogue access point may bedetermined using the signal strength techniques described above. To“stall” the intruder, the filtering tables can be set in either theLayer 2 or Layer 3 case to route the traffic exchanged with the rogueaccess point to a secure server, which can be programmed with a seriesof scripts giving an intruder the feeling that they are gaining accessto the network.

Depending upon the capabilities of the management program and the accesspoint, it will be possible in many circumstances to identify themanufacturer of an identified “rogue” access point. With themanufacturer identified, it will be possible to access, from anappropriately constructed table, the default configuration and passwordof such an access point. With the default password in possession andassuming no alternative installation bythe personnel who “put the pointup” on the network, the management system software can access thesecurity features of the access point and reconfigure the access pointbeyond the reconfiguring of routing and trusted neighbor tables. Morespecifically, the access point can be converted into a recognized,non-rogue, access point and conventional network management controlsapplied. These management controls may include financial controls suchas charging for access as well as security controls such as establishingsystem management determined passwords.

Important characteristics of this invention thus include the abilitiesto interrogate the routing tables in an edge router or the trustedneighbor table in an access point, interrogate these tables in a randomor deterministic fashion to determine if there are new entries, monitorthe traffic flow from these new entries to determine if they are havingissues with the network, such as service denial, and, through routingand trusted neighbor tables to filter the intruder's traffic and eithershut them down by appropriate entries into the tables or route theirflows to a secure server to initialize a sequence of events to apprehendthe intruder. These steps are as illustrated in FIG. 5.

Further, and in alignment with other goals of this invention, theidentity of the access point if reconfigured will be added to registersof ports for which charges are allocated and usage and access chargeswill be accumulated against that port identity. The relevant steps areillustrated in FIG. 6.

Once again, and as mentioned hereinabove, programs effective toimplement these steps while running on a system such as the server 11may be distributed by writing onto appropriate computer readable media,such as the disk shown in FIG. 7.

In the drawings and specifications there has been set forth a preferredembodiment of the invention and, although specific terms are used, thedescription thus given uses terminology in a generic and descriptivesense only and not for purposes of limitation.

1. A method comprising the steps of: monitoring access points throughwhich data can be exchanged with a network, identifying an unauthorizedaccess point, and monitoring traffic passing through the identifiedunauthorized access point.
 2. A method according to claim 1 furthercomprising the step of determining the geographical location of theidentified unauthorized access point.
 3. A method according to one ofclaims 1 and 2 further comprising the step of applying traffic filteringto monitored traffic passing through the identified unauthorized accesspoint.
 4. A method according to one of claims 1, 2 and 3 furthercomprising the steps of: responding to the identification of anunauthorized access point by determining the make, model and defaultconfiguration password for the unauthorized access point, and addressingthe unauthorized access point using the default password and, on gainingaccess thereto, reconfiguring the access point into an authorized accesspoint.
 5. A method according to one of claims 1 through 4 furthercomprising the step of accumulating charges for access and usage ofnetwork resources identified to the identified unauthorized accesspoint.
 6. A method according to one of claims 1 through 5 wherein thestep of identifying an unauthorized access point comprises comparing theidentity of monitored access points with a database of authorized accesspoints.
 7. A method according to claim 6 wherein the step of monitoringcomprises equipping each of a plurality of computer devices to detectaccess points accessible to the device and to report to a servercomputer system the identity of detected access points.
 8. A methodaccording to claim 6 wherein the step of monitoring comprises queryingnetwork nodes for recent entries into node identifyingconnectivitytables maintained at the nodes.
 9. A method according to oneof claims 7 and 8 wherein the step of monitoring is performedintermittently and periodically.
 10. A method according to claim 9wherein the step of monitoring is performed at predetermined regularintervals.
 11. A method according to claim 9 wherein the step ofmonitoring is performed at random irregular intervals.
 12. A methodaccording to claim 2 wherein the step of determining the geographiclocation of an identified unauthorized access point comprises comparingthe locations of a plurality of computer devices all of which reportdetection of the identified unauthorized access point.
 13. A methodaccording to claim 3 wherein the step of applying traffic filteringcomprises denying access to the network through the identifiedunauthorized access point.
 14. Apparatus comprising: a computer system;a network interface connected to said system and providing acommunication channel between said system and a network; and programinstructions stored accessibly to said computer system and cooperatingwith said computer system when executing on said computer system tomonitor access points through which data can be exchanged with anetwork, assist in identifying an unauthorized access point, and monitortraffic passing through an identified unauthorized access point. 15.Apparatus according to claim 14 wherein said computer system is aworkstation computer system and further wherein said programinstructions include an access point identification program cooperatingtherewith when executing on said system to identify access pointsaccessible through said interface; and a reporting program cooperatingwith said identification program and with said system when executing onsaid system to report through said interface to a remote server computersystem the identity of accessed points.
 16. Apparatus according to claim14 wherein said computer system is a server computer system and furtherwherein said program instruction include a node identification databasecooperating therewith when said program is executing on said system toidentify unauthorized access points accessible to said system throughsaid interface.
 17. Apparatus according to one of claims 15 and 16 andfurther comprising a geographical location determining program effectivewhen executing to derive the physical location of an unauthorized accesspoint.
 18. Apparatus according to one of claims 15 through 17 andfurther comprising a traffic filter controlling program effective whenexecuting to selectively impose a filter on traffic exchanged with thenetwork through an unauthorized node.
 19. Apparatus according to one ofclaims 15 through 18 and further comprising a control program effectivewhen executing to respond to the identification of an unauthorizedaccess point by determining the make, model and default configurationpassword for the unauthorized access point, address the unauthorizedaccess point using the default password and, on gaining access thereto,reconfigure the access point into an authorized access point. 20.Apparatus according to one of claims 15 through 19 and furthercomprising an accounting control program effective when executing toaccumulate charges for access and usage of network resources identifiedto the identified unauthorized access point.
 21. A program productcomprising: a computer readable medium; and program instructions storedon said medium accessibly to a computer system and effective whenexecuting on a system to: monitor access points through which data canbe exchanged with a network, identify an unauthorized access point, andmonitor traffic passing through the identified unauthorized accesspoint.
 22. A program product according to claim 21 wherein the programinstructions further comprise instructions effective to determine thegeographical location of the identified unauthorized access point.
 23. Aprogram product according to one of claims 21 and 22 wherein the programinstructions further comprise instructions effective to apply trafficfiltering to monitored traffic passing through the identifiedunauthorized access point.
 24. A program product according to one ofclaims 21, 22 and 23 wherein the program instructions further compriseinstructions effective to respond to the identification of anunauthorized access point by determining the make, model and defaultconfiguration password for the unauthorized access point, and addressthe unauthorized access point using the default password and, on gainingaccess thereto, reconfigure the access point into an authorized accesspoint.
 25. A program product according to one of claims 21 through 24wherein the program instructions further comprise instructions effectiveto accumulate charges for access and usage of network resourcesidentified to the identified unauthorized access point.
 26. A programproduct according to one of claims 21 through 25 wherein the programinstructions further comprise instructions effective to compare theidentity of monitored access points with a database of authorized accesspoints.